ENSEMBLE MODEL WITH EXPLAINABLE AI FOR ANOMALY DETECTION IN CRITICAL INFORMATION INFRASTRUCTURE NETWORKS

Abstract

Protecting Critical Information Infrastructure from sophisticated cyber-attacks is a paramount national security concern. Machine learning-based anomaly detection systems offer a promising defense. However, they are severely undermined by extreme class imbalance, which leads to high false negatives, and by their inherently "black box" nature, which erodes analysts' trust and hinders operational adoption in high-stakes Security Operations Centers. This research directly addresses this triad of challenges by proposing a novel hybrid ensemble framework with integrated Explainable AI. The methodology first employs a hybrid ADASYN+Tomek Links technique to create a balanced and clean training dataset. This data is used to train a high-performance stacked ensemble model that leverages a Random Forest and a 1D-CNN as base learners, with a Logistic Regression meta-learner. A SHAP layer is integrated to provide human-interpretable, feature-based explanations for every alert. Evaluated on the NSL-KDD benchmark, the proposed model demonstrated superior performance, achieving 92.37% accuracy, 92.41% F1-Score, and an AUC-ROC of 0.9612. Most critically, it achieved a False Negative Rate of 6.86%, a 30.6% relative reduction over a comparable ADASYN+Tomek+RF benchmark, while also robustly detecting rare U2R (88.50% recall) and R2L (90.45% recall) attacks. The XAI component was proven to effectively diagnose both true positives and false positives, bridging the trust gap for analysts. This work delivers a high-performance by making the following contributions to the field: a unified framework that simultaneously targets class imbalance, detection performance, and operational transparency; a 30.6% relative reduction in False Negative Rate compared to the best published ADASYN+Tomek+RF baseline, and a demonstrated SHAP-driven diagnostic workflow that actively assists Security analysts in both validating true positives and resolving false positives.